May 10, 2021

Last Updated on January 15, 2024

If you’re shopping for an MSP, what do you have to go on besides promotional copy, seat-of-the-pants research and maybe some peer recommendations? Is there an objective way to evaluate an MSP’s technical capabilities, business operations, security posture and overall expertise?

To scrutinize MSPs from all angles, including how to confirm their service quality and internal security before signing a contract, a recent episode of The Virtual CISO Podcast starred MSPAlliance co-founder Charles Weaver. Hosting the episode was John Verry, Pivot Point Security CISO and Managing Partner.

Charles explains how MSPAlliance validates participating members through its one-of-a-kind MSP Verify program: “We ask the MSP, in essence, ‘What do you do and how do you do it?’ We document their answer. And then we test it; or, more importantly, the auditor, the CPA auditor tests it, and then signs the opinion letter saying, ‘Yes, this is actually correct.’ So that produces an MSP Verify report.”

“What does [an MSP Verify report] give a customer who’s saying, ‘I’ve had four or five not-so-great relationships with MSPs… Who are you and why should I trust you?’,” asks Charles. “MSP Verify is not a guarantee that you’re going to win that project. It is a factual statement of what the MSP is doing with some reasonable amount of assurance behind it that it’s actually being done.”

“It’s a data point,” John rephrases. “Which is all we want. You make good decisions with good data, and you’re giving [outsourcers] good data.”

Charles continues: “Say I’m a customer and I want to know, does this MSP backup their own internal data? Because I’m concerned about the headlines about MSPs being hit by ransomware. So I go to objective #8 of our MSP Verify standard and I say, ‘Okay, right. This MSP is backing up their internal data every day. It’s encrypted, it’s in multiple places, or they air gap it, even better. So if that’s interesting to me and a concern to me, I go and I have an answer. Does the MSP use multi-factor authentication internally? I can find the answer there. So there’s a lot of business security change management, corporate risk [information]. Do they carry cyber security insurance? We cover that. There’s a lot of answers; a lot of data in there.”

“If [the MSP is] going to be able to produce a SOC 2 analog, that has all that information in it, that’s been third-party attested… That’s a pretty significant value prop to somebody who’s looking for an MSP,” John confirms.

“We think so,” says Charles. “[MSP Verify] has global acceptance, it can be issued anywhere; and, most importantly, the controls transcend geopolitical boundaries and really apply to a global base.”

What exactly is the control set at the core of MSP Verify? The program got its start back in 2004 when, as Charles recalls, “We took bits of ITIL, ISO 27001 and Six Sigma, COBIT and a handful of other frameworks, and a lot of our own ingenuity. Nobody was talking about this stuff back then, except for us that I’m aware of. But we settled on a standard that we own, control and maintain, even to today. Then we went to the accounting profession, the SAS 70 and SOC 2 community, and said, ‘We want you to come in and be the independent validating body of our standard.’”

“It’s not a panacea,” explains Charles. “It doesn’t excuse the customer from asking probing questions and saying, ‘What is it that I really need?’ They should have that information before they reasonably should be outsourcing, because otherwise it’s just going to be a shot in the dark.”

“Another thing is, to some extent I can measure how serious someone is about their business, based on the fact that they’re willing to go through this process with you,” John points out. “Someone who’s writing a check and is willing to ascribe to a set of standards and live up to that set of standards is somebody who is serious about their craft.”

What’s Next?

“We still have a lot of work to do,” acknowledges Charles. “MSPs globally that have MSP Verify and/or a SOC 2 or a functional equivalent of that, like an ISO 27001 certification… It’s probably less than 5% of practicing MSPs on the planet. That’s not good…”

If your business is shopping for a new MSP, this podcast with Charles Weaver from MSPAlliance is just the support you need.

To listen to the show, click here. If you don’t use Apple Podcasts, you’ll find our complete selection of information security podcasts here.

TPRM for SMBs guide

Through our 17 years of experience, we've collected these 5 fast-track best practices for implementing a vendor risk management program as a small- to medium-size busiess (SMB).
Download our free TPRM PDF guide now!